FAQ

Who runs this service?

This free tool is provided by Cryptosense,
a start-up making software which helps companies find and fix security flaws in
systems that use cryptography.

What is this tool for?

The Cryptosense Keytester accepts RSA public keys and tests for problems that would
make them insecure. In particular, we test four things:

Presence of the Infineon RSA key generation vulnerability.

Small factors that indicate a bug in key generation.

Presence in a "blacklist" of keys for which the private key is well-known.

Shared factors with one of the other keys in our database via a batch-GCD calculation.

We email results of the Infineon bug test immediately. The other tests are applied as part
of a weekly batch-GCD calculation, carried out every Monday. Results are emailed just
afterwards.

I'm concerned about privacy, why do you need my email address?

The batch-GCD test requires us to spin up a large cloud instance and run some significant
computation, so we only do it once a week. Email is a convenient way to manage result
notification. Note that we don't block disposable email addresses or Gmail + variants etc.
If we do factor your key, we will only inform you of the result, we won't send the factors
or a private key in the email.

Which RSA key formats do you accept?

How does the Infineon key generation vulnerability testing work?

Public keys generated by the vulnerable library have a distinctive fingerprint
that can be tested for with a straightforward discrete log calculation (test
code is available on Github).
Full details of the vulnerability
will appear here.

What kinds of keys are affected by the Infineon RSA key generation issue?

Any key generated by an Infineon chip containing the vulnerable RSA
library code. This includes some TPMs, smartcards including electronic ID
cards, and certain authentication tokens. Not all keylengths are affected,
but common 1024 bit and 2048 bit keys are factorizable.

How does the batch GCD/shared factor testing work?

We apply the so-called "batch GCD" method using our implementation of
Bernstein's Algorithms.
This calculates the Greatest Common Divisor (GCD) of the test key and all
the keys in our database. If the test key shares one of its prime factors
with a key in our database, this allows the key to be factored.

You can read all about this testing method in a pair of
academic
papers
from 2012.

So those papers factored thousands of Internet-facing keys in 2012 - is this still
a problem?

We recently
replicated the scans in these papers. In our results there
are fewer factorable keys, but it's still a problem: 1 in 700 Internet-facing
TLS keys and 1 in 10000 Internet-facing SSH keys were factored. This is
about one third the proportion that were factorable in 2012. At the end
of 2016, some of the original authors also replicated the work and
found similar results.

What kind of keys can be factored by the batch-GCD method?

From the information we have been able to obtain, most of the keys seem to
be in embedded systems like network hardware and appliances. This is
likely for the same reasons (bugs in entropy generation in "headless"
systems) that were proposed in the
Heninger et al. paper

Is this service free?

It's free for your first 5 keys, and we run the batches once a week. To submit
more keys and get a response in a few minutes, we offer a paid service with a web
API.
Get in touch
for more details on this. You can see the API documentation
here.

What happens to the keys I submit?

If you submit your key to the free service, we keep it in our database and will
email you in future if we ever break it. If you use the premium service, you can
decide if you want to have your key kept in the database or not.

If my key isn't broken by this service, does that mean it's 100% guaranteed
secure?

No: there are some "corner case" factorization algorithms we don't apply since they
are extremely rare in production keys (though more common in
CTFs), and
although we update our blacklist regularly when new leaked keys are announced e.g.
from reverse engineering attacks, someone may still be able to obtain your private
key by other means.